-
Notifications
You must be signed in to change notification settings - Fork 2
138 lines (116 loc) · 4.58 KB
/
release.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
name: Release
on:
workflow_dispatch:
permissions: {}
jobs:
release-perform:
name: Release - Perform
runs-on: ubuntu-22.04
timeout-minutes: 15
permissions:
contents: write # Required to publish a GitHub release
issues: write # Required to comment on released issues
pull-requests: write # Required to comment on released pull requests
outputs:
release-tag: ${{ steps.release.outputs.tag }}
env:
CHANGELOG_FILE: ${{ github.workspace }}/docs/CHANGELOG.md
steps:
- name: Harden runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
api.github.com:443
objects.githubusercontent.com:443
uploads.github.com:443
repo.maven.apache.org:443
jitpack.io:443
repo.papermc.io:443
api.nuget.org:443
registry.npmjs.org:443
- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0 # Required by semantic-release
- name: Config Git user as release bot
env:
# https://github.com/orgs/community/discussions/26560#discussioncomment-3252339
RELEASE_BOT_NAME: 'github-actions[bot]'
RELEASE_BOT_EMAIL: '41898282+github-actions[bot]@users.noreply.github.com'
run: |
git config --global user.name "${RELEASE_BOT_NAME}"
git config --global user.email "${RELEASE_BOT_EMAIL}"
- name: Setup Node.js
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
with:
node-version: lts/iron
cache: npm
cache-dependency-path: .github/package-lock.json
- name: Setup Java
uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
with:
java-version: 17
distribution: temurin
- name: Install semantic-release
working-directory: .github/
run: npm clean-install
- name: Release
id: release
env:
GITHUB_TOKEN: ${{ github.token }}
# Hacky way of retrieving the released version tag name through a temporary file
TMP_TAG_VERSION_NAME_FILE: ${{ runner.temp }}/tag_version_name
working-directory: .github/
run: |
npx --no-install semantic-release
echo "tag=$(cat "${TMP_TAG_VERSION_NAME_FILE}")" >> "${GITHUB_OUTPUT}"
- name: Create a PR for creating/updating the changelog file
env:
GITHUB_TOKEN: ${{ github.token }}
CHANGELOG_BRANCH_NAME: changelog/${{ steps.release.outputs.tag }}
run: |
git switch --create "${CHANGELOG_BRANCH_NAME}"
git add "${CHANGELOG_FILE}"
git commit --message='docs(changelog): release ${{ steps.release.outputs.tag }}' "${CHANGELOG_FILE}"
git push --set-upstream origin "${CHANGELOG_BRANCH_NAME}"
gh pr create --fill \
--label 't:release' \
--base ${{ github.ref_name }} \
--head "${CHANGELOG_BRANCH_NAME}"
release-sign:
name: Release - Sign
runs-on: ubuntu-22.04
timeout-minutes: 5
needs: release-perform
permissions:
contents: write # Required to add assets in existing GitHub release
id-token: write # Required for signing through Sigstore
steps:
- name: Harden runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
api.github.com:443
uploads.github.com:443
objects.githubusercontent.com:443
fulcio.sigstore.dev:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
persist-credentials: false
- name: Install Cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
- name: Sign GitHub release assets
env:
GITHUB_TOKEN: ${{ github.token }}
CERTIFICATE_IDENTITY: ${{ github.server_url }}/${{ github.workflow_ref }}
CERTIFICATE_OIDC_ISSUER: https://token.actions.githubusercontent.com
run: .github/scripts/sign_gh_release_assets.sh ${{ needs.release-perform.outputs.release-tag }}